Title

The Microsoft SCOM SNMP Monitoring in SCOM must use SNMP V3. (Cat III impact)

Discussion

SNMP Versions 1 and 2 do not use a FIPS-validated Keyed-Hash message Authentication Code (HMAC). SCOM has the capability of monitoring all versions of SNMP. As such, SNMP 1 and 2 monitoring should only be done if the device being monitored does not support SNMP V3.

Check Content

From the SCOM Console, select the Administration workspace. Navigate to Run As Configuration and select Accounts. Review all of the listed Accounts. If any account is listed under the "Community String" type, this is a finding.

Fix Text

Create SNMP V3 Run As accounts and use these to monitor network devices: Note that for this to work, SNMP V3 must be set up on the network device being monitored and some of the configuration info for this account must be obtained from that device. From the SCOM Operations Console, select the Administration workspace, expand Run As Configuration, and select Accounts. Right-click and choose "Create Run As accounts". Click "Next" at the first screen and in the Run As account type, choose SNMP V3 account. Give it an appropriate display name and complete the wizard supplying the relevant information from the monitored network device(s).

Additional Identifiers

Rule ID: SV-237435r643951_rule

Vulnerability ID: V-237435

Group Title: SRG-APP-000395-NDM-000310

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.